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Substitution-box for symmetric-key ciphers. 



The invention relates to cryptograpbically converting an input data block into 
an output data block using a non-linear operation in the form of a Substitution-box (S-box) 
based on a set of permutations. 



5 The application of cryptography in the area of copyright protection of digital 

audio and/or video is becoming increasingly important These applications include contents 
encryption/decryption and access management functions. For sudi applications the well- 
known block cipher DBS can be used. DBS is a Feistel cipher consisting of sixteen rounds. 
In each round, first the 32 bits of the right half of the data are expanded to 48 bits. Next, an 

10 48 bit round key, wluch is computed £rom a 56 bit DBS key with a scheduling algorithm, is 
bit-'Wise added modulo two to these 48 bits. Then a layer of S-boxes performs a non-linear 
operation on the data. In DES, the S-box layer consist of dght six-to-four bit S-boxes in 
parallel, i.e. each of the S-boxes converts a 6^bit input block into a 4-bit output block using 
one fixed mapping table per S-box. The ou^ut of the S-box layer is a 32 bit data block on 

1 5 which a bit-permutation is performed. The S-box substitution is the ozdy non-linear operation 
in DBS and contributes highly to its security. A drawback of DBS is its small key size of 56 
bits, which is considered to be insufficient nowadays for of&ring a high level of security. 
However, an exhaustive key search can be avoided by using a longer key combined with a 
different key scheduling algorithm for computing the sixteen 48-bit round keys. The two 

20 most powerful attacks on DBS published in the open literature are differential and linear 

cryptanalysis, \^iiich are general attacks that can be applied to a wide range of block ciphers. 
It has been shown that DBS ran not be strengthened much against these attacks by modifying 
the key length and/or the key schedulizig algorithnL However, changes in the round function 
of the algorithm (e.g. in the S*boxes) can influence its strength against these attacks 

25 considerably. 

It is an object to design S-boxes with good cryptogrq)hic characteristics. It is a 
&rther object that such S-boxes can be efficientiy implemented in hardware and softsvare 
allowing a broad use in consumer electronic applications. 
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2 04.07.2000 
To meet die object of the invetxtion, the peimutatioii for the S-box is 
dyxiamically selected from apredetennined aet of penxuitations. Preferably, each permutation 
in the set is chosen to provide optimal resistance against known attacks^ in particular 
differential and linear czyptanalysis. By choosing the permutations (pseudo«)randomly the 
S system can be made cryptographically stronger than a system in i^ch each S^box consists of 
only one fixed pennutatica Selection of a pennutadon from a set can be executed &st and 
cost-effectively. 

As defined in the measure of the dependent claim 2^ the selection is preferably 
performed under conlxol of a round key. The algorithm generating the round keys Q-e. the 

10 key sdieduling algorithm) can be chosen to obtain a desired degree of pseudo«randomness. 
An advantage for using round keys for the selection is ^t the pennutadon is selected &om 
the set during the computation of the round keys. For efficiency reasons* this is usually and 
preferably done once for each key and all data that has to be processed (e,g. encrypted) with 
ti:ds key. fii this way the encryption/decryption algorithm can be as efficient as a system _ 

IS based on S-boxes consisting of only one fixed permutation for each S-box. 

As defined in the measure of the dependent claims 3 and 6 a cryptographic 
weakness in one of the permutations as reflected in a non-trivial diSerendal and/or linear 
characteristic havii^ a predetermined maximum probabiliQr is compensated by a 
corresponding strength in at least one of the other pemiutations of the set. An advantage of 

20 this approach is that an adversary can not base a differential or linear attack on these 
characteristics without making assumptions on the unknown (round) key(s). 

As defined in the measure of the dependent claim 4, the weakness is fully 

compensated. 

25 

These and other aspects of the invention will be apparent firom and elucidated 
with re&rence to the embodimoits shown in the drawings. 

Figure 1 shows one round of a cipher incorporating the non-linear operation; 
Figure 2 illustrates the steps of the round function; and 
30 Figure 3 provides details of the S-box layer of the round flmction- 

For die purpose of ei^qslaining the invention, the cryptographic system is 
described as a block cipher in the Electronic Codebook (ECB) mode. Persons skilled in the 
art will be able to use the system in ofbsr modes as well. These include the standard FIPS 
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3 04,07.2000 
modes of operation for DES» i.e. the Cipher Block Chaining (CBC), the Cipher Feedback 
(CFB) and ihe Output Feedback (OFB) mode of operation. In addition, the system can also 
be used in well-kno^ constructions for paeudo-random number g^ierators, Message 
Authentication Codes (MACs) and Manipulation Detection Codes (MDCs). 
5 The cryptographic apparatus comprises an input for obtaining a digital ixxput 

block. The digital input block M may be any suitable size. The apparatus further comprises a 
cryptographic processor for converting the distal input block into a digital output block. 
Advantageously^ the digital oulput block has substantially equal length as the digital input 
block. The apparatus comprises an output for outputting the digital output block. In a 
1 0 preferred embodiment, the cryptogr^hic processor converts the digital input block into the 
digital oulput block by merging the digital input block with key bits» producing the output 
block v^ch non*linearly depends on the input block and the key. To obtain the key (or an 
initial key feeding a key scheduler), the cryptographic apparatus comprises a second input It 
will be appreciated that the cryptographic £^>paratus may be implemented using a 
1 S conventional comput^^ such as a PC> or using a dedicated encryption/decryption device. The 
digital input block may be obtained in various ways, such as via a commtmication network, 
&om a data storage medium, such as a harddisk or floppy disk, or directly being entered by a 
user. Similarly, the digital oulput block may be output in various ways, such, as via a 
communication network^ stored on a data storage medium, or displayed to a user. Preferably, 
20 secure means are used to this end. The cryptographic processor may be a conventional 
processor, such as for instance used in personal computers, but may also be a dedicated 
cryptographic processor. The processor is usually operated under control of a suitable 
program (firmware) to p^orm the steps of the algorithm according to the inv^on. Uns 
computer program product is normally loaded from a background storage, such aa a harddisk 
25 or ROM The computer program product can be stored on the background storage after 
having been distributed on a storage medium, like a CD-ROM, or via a network, like the 
public Internet Sensitive information, like an encryption key, is preferably distributed and 
stored in a secure way. Techniques for doing so are generally known and not described 
further. The cryptographic apparatus may, in part or in whole, be implemmted on a smart- 
30 card. 

The non-linear operation of die S^box according to the inv^tion performed by 
the oTptographic processor will be described in the form of a round function/in a block 
cipher as an exemplary s^plicatLon. In itself persons skilled in the art will be able to use -die 
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non-linear fimction in other oyptogrspbic systems as well, and in other ciphers t h * ^n iha one 
described in detail below. 



Notatioiu and definitions 

5 The foUowiag notation is used in flie descriptinn of the exemplfliy algftrithiT». 

Let Zi" be tiie set of all binary vectors of length n (n ^ 1) with the addition QiZ^xZ^-^ 
Zfi', which is defined as a coordinate-vise addition modiilo 2 (also refeired to as an 
exclusive-or, or XOR). For eixample, (1,0,1.0) and (0,1,1,0) are elesments of Zz* and (1,0,1,0) 
© (0,1,1,0) = (1,1,0,0). If n is even and x s Za", then x^^ e and e Za^ are defined 
10 astheleftandtherighthalf ofxrespeotively.Forexample,ifx = (l,0,l,l,0,0,l,0) e Zz^.then 
= (1,0,1,1) € Zz* and x<^> = (0,0,1,0) € Zi^. The symbol |I is used to denote a 
concatenation of vectors, e.g. x - (x^^ \\ x^. The elements (also called bits) of a vector x € 
Za are numbered firom zero to n-1 fi»m the left to the right, i.e. x =: (xo,xi,X2, ... ,x„.i). The 
inproduct • i Za" x 2d° -^ Za is defined as X • y » 2i=^i; ... . 

15 

Block cipher stractnre 

The exemplary block cipha is a Feistel cipher and consists of sixteen rounds 
(like DBS). The block length equals 64 bits and the key length equals 128 bits. Encryption in 
Electronic Codebook (ECB) mode of a plaintext X e Z2** into its ciphertext C e Za^ under 

20 the key Ks is denoted by C = E(K,X). 

The round fiinctioa is denoted by /and is a mapping firom 2a*^ x Za'* to 
This round function incorporates the non-linear S-box operation of the invention and will be 
described in more detail below. The first input argionent of the round function is the round 
key Ki s Za^ (where i indicates the round number, i = 1, 2, 16). These round keys aio 

25 computed fi»m the 128 bit key K with a so-called key scheduling algorithm. Any suitable 
key scheduling algorithm may be used and is not described in detail. The second mput 
argument is the rigjht half of the intermediate result after round L This intermediate result is 
dsmoted by Xi s Z2*'a=0,l, ... ,16) with X =: (Xo<^' |] Xo^>). 

With this notation the computation of the ciphertext C s Z2" consists of tiie 

30 following steps, as iUustxated in Figure 1 : 

1. ComputeXi<^=Xi.i^>eXKj,Xi.,<P5)andsetXi<^>='Xi,i^5 fori = l,2,....15. 
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5 04.07.2000 
2- Compute Xi6^> Xis^^ ® A^u, and set Xi6^ = Xis^. The ciphertext is defined 
as C - CXi6<^i II Xx6^^) 

Fig. lA shows the cipher structure used for the &st fifteen rounds (i = 1, 2, ...» 
5 15), Fig. IB shows the last, sixteenth round. Note the inegular swap in Fig.lB compared to 
the previous rounds of Fig.l A. This is usoially done in Feistel structures, because in this case 
the decryption algorithm (i.e. computing X = E'^CK,C» is the same as the encryption 
algorithm (with the round keys in reverse ord^). It has no meaning in a cryptographic sense. 



10 Round fonctioii 

Fig. 2 shows an overall block diagram of a preferred embodiment of die round 
function / First apart of the round key, of for instance 32 bits, is added to the data bits in step 
210, Next, in step 220, the S-boxes perform a non-linear substitution, preferably providing an 
optimal (local) resistance against difEerential and linear cryptanalysis. In addition, preferably 

15 the non-trivial (local) characteristics with a predetermined maximum probability are made 
(round) key dependent, as described below in more detail Finally, in step 230 a linear 
transformation is used to provide a higih diffusion ov^ multiple rounds. Any suitable linear 
transfbimation may be used. The linear transfonnation is not the subject of the present 
invention and will not be described in detail. 

20 The F^stel stmcture puts no restrictions on the surjectivity of the round 

functioxL However, preferably the round function is bijective for every choice for ibc fixed 
(round) key. This avoids attacks based on the non-uniformity of the round fimction. 

Figure 3 provides more details of a preferred arrangement incorporating the S- 
box according to the invention. In this exemplary system the round fiinction/is a mapping 

25 ficom Za^^ x Za^tc^ la^. The first input argument is the round key Ki e 7^^, the second one 
the right half of the intermediate result Xi.i. The output is denoted by X^i, Xm^ € Zi^. In 
this figure, Ki^^'e Z?^^ and K^® e are defined as Ki (Ki^^^ || In step 210, the key 
addition takes place, followed in step 220 by a key dependent Substitution box (S-box) layer 
is used. In this example, the S-box layer consists of eight smaller S-boxes (So, Si, ... , S?), 

3 0 each operating on 1/8 of the data block. The S-box transformation is a mapping fiom 2^ x 
^ to Zi^^ the first input argument in round i is the round key Ki® , the second one the 
result of the key addition, i.e. Xn^ © Ki^^\ The 32 bit output of tho S-box transformation is 
denoted by S(Ki®, Xm^^ ® A detailed description of this ms^pping will be given 
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6 04.07,2000 
below. Finally, in step 230 a siutable linear transfonnation from Za^to Z^^ is applied. The 
input is S(Ki<^^ Xw^^ e Kf% its output is denoted by L(S(KiP\ Xi-i^^ ® K/^>)). With this 
notation the function /is given by: 



S-boxes 

According to the invention, an S-box performs a substitution of the data. In a 
ptefecred OTibodiment described hero, the S-box operates on a 4-bit sub-block- It will be 
appreciated that also sub-blocks of oth^ sizes can be used. According to the invention, for 
10 each S-box a set of at least two predetenjuned pennutatious is used^ where each time before 
using the S-box one of tiiese permutations is selected in a Q)seudo-)random manner. 
Preferably, the round key is used for fliis selection. In a preferred embodiment, each S-box is 
associated with two peimutations, where one piedetemndned bit of the round key is used to 

select which of both pennutatioiis is used- Usiiig ie^ 

15 operating on 4-bit sub-blocks, will normally require a row of parallel S-boxes, each being 
associated with a respective set of at least two non-linear permutations. In a prefened 
embodiment of a block cipher op^ting on 32-bit blocks and using 4-bit S-boxes, eight S- 
boxes are used in parallel, each of vrfuch consists of two permutations. For fliis embodiment 
the following notation is used. Let tiie bits in the first input argument Ki®> of the S-box 
20 transformation be denoted by Iq® 0 = 0,1, ,..,7), Le. Kj® ^-r (ko®, ki®, ... , k?^'^). The vectors 
Nj® 6 Za^ (j = 0,1, ,7) are defined as Xw<^ 9 Ki^« - (No® || Ni® || || N7®). The S--box 
mapping consists of a concatenation of eight mappmgs Sj : x Z2^-» 2^2* Q - 0,1,— ,7). The 
first input argument is the key bit I^®, which selects which of the two peimutations for Sj is 
used. The second input argument is Nj®, which is the input for the selected 4-bit permutation 
25 for Sj. The corresponding 4-bit output of this permutation is also the output of the S-box, and 
is denoted by Sj(kj®, N/^. With this notation the function S is given by: • 

S(Ki® Xi.i<^> © Ki«)) = ( SoCko®, No^^^ II Si(ki® Ni(»>) || || Nt^^) ). 



Differential and limcp' chco'actertstics of a permutation 
30 The following design criteria arc preferably used for the individual permutations: 

1 . Resistance against differential cryptanalysis: the maximum non-trivial value in ^ XOR 
distribution table equals a predetetrmined maximtmx. Assun^ 

maximum is 4, i.e, each non-trivial differential characteristic has a probability of at most 
Vi. The concept of differential characteristic and XOR distribution table is generally 
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7 04.07.2000 
known. It has been described publicly for the first time in 1 990 by Biham and Shamir, for 
instance in 'T>ifferential Cryptanalysis of DES-Like Cryptosystems", Journal of 
Ciyptology, Volume 4 (1), 1991, pp 3-72. 
2, Resistance against linear cryptanalysis: the maximum non-trivial absolute value in the 
5 linear approxhnation table equals a predetermined maximum. Assuming 4-bit 
permutationSj this m*\XTr»""' is 4, i.e. each non-trivial linear characteristic has a 
probability between and The concept of linear characteristic and linear 
approximation table is generally Imown. It has been described publicly for the first time 
by Matsui, A description is given m E. Biham, "On Matsui's linear Cryptanalysis**, 
10 EUROCRYPT'94, LNCS 950, Springer, 1995, pp. 341-355. 



7... ; . ... : J 



Preferably each pemmtatlon meets both of these requirements. Above criteria 
are described in detail for 4-bit non-linear pemiutations. It can be proven that these criteria 
are optimal for 4-bit pemiutations, i.e. there exists no 4-bit pemiutation vith a maximal non- 
15 trivial XOR distribution table value smaller than 4, and there exist no 4-bit permutation with 
a maximal non-trivial absolute value in its linear approximation table that is smaller than 4 > 
Pemuitattons meeting above criteria can be created by randomly generating a 
pennutation and testing vdiother the generated pemiutation meets the criteria. Also other 
suitable techniques may be used, like exhaustive search until a suitable permutation is found 
20 or using (mathematical) construction methods. One particular example of a construction 
method is based on the inversion mapping in the finite field with 2° elements, with zero 
mapped to itself, and can be foimd in K. Kyberg, ''Differentially uniform mcqppings for 
cryptography", EUROCRYPT'93, LNCS 765, Springer, 1994, pp. 55-64. The corresponding 
criteria satisfied by the n-bit S-boxes constructed according to this method, with n even, are 
25 given by: 

1. Resistance flgainst diffgr?ntlfl1 rryptan^^ysis: t^Q w^Yimum nQn^trivial value in the XQR 
distribution table equals 4, i.e. each non-trivial differential characteristic has a probability 
of at most 4/2". 

2. Resistance against linear cryptanalysis: the maximum non-trivial absolute value in the 
30 linear approximation table equals 2^^, i«e« each non-trivial linear characteristic has a 

probabiUty between i4 - 1/2**^ and % + 1/2*^. 
It is easily seen that these criteria generalize the ones given above for ^^bit permutations. It is 
well-known that applying any invertible afHne mapping (over Stf^) on all mput elements 
and/or on all the output elCTients of an n*bit S-box does not affect its maximum non-trivial 
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XOR value or its maximum non-trivial absolute value in its linear approximation table. In 
this way anumber of S-boxes satisfying above criteria can be constructed from a single 
box. 

According to tiie invention an S-box is associated vAih at least two non-*linear 
S peacmuflations. llie permutations in the set have been selected such that they compeusate each 
other's weaknesses. This will be described in more detail for ^ differential and linear 
characteristics respectively. The additional criteria will be illustrated using an S-box, e.g. So 
with the following two penxrutations: 
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The rows 0 and 1 represent the output of tho two permutatians, corresponding to the input 
defined by tiie column number. In the following, these two permutations will be d^oted by 
Po and Pi respectively. Both input and ou^ut are given in hexadecimal notation* For instance, 
if the first perroutation is selected (Le. ko® - 0)^ and No® = 3 thea the output equals 9, i.e. 
So(0,3) ^ 9, Similarly, So(l ,3) £ Assuming eight parallel S-boxes, each associated with two 
permutations specific for that box> a total of 16 dififerent permutations need to be generated. 
Preferably, each of those permutations meets all criteria given above. According to the 
invention, the permutations belor^g to one S-box» as a set» also meet at least one» and 
preferably, both of tiie criteria given below. 

Differential characteristics of a set ofpermutaiiom 
A set of permutations for one S-box satisfies the following criterioiu 
I. If a non-trivial differential characteristic in one of the permutations has Tri flyimnT ti 
probability, then this differential characteristic has a low» probability in at least one of 
Uie other permutations. 

It will be appreciated that in this way the weakness in one of the permutations 
is compeusaled by a strength in one of the other permutations. Preferably, tiie lower 
probability is zcto, optimally compensating a weakness. The pre&ned criterion, therefore, 
30 for a pair of 4-bit permutations for one S-box is: if a non-trivial differential characteristic in 
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on& of the two peimutatioiis has probability Va, then tills diffescntial characteristic has 
probability 0 in the other pexmutatioii, i.e. each non-txivial (rouxid)key-ind6pend6iit 
differential characteristic of an S-box has a probability of at most 1/8. 

To illustrate that the two described pCTXtutations Po and Pi meet this criterion, 
their XOSL distribution tables are given below. The entry in row a and column P in the XOR 
distribution table of Pi (with a,p € Za) is denoted by Xi^^ and is defined as: 

X{^^ :=#{ X e Zi'^l Pi(x)a Pi(x © a) = p }, i = 0,1. 
I.e. Xi^^ eqizals the nxnnber of input pairs with difference a that causes a difference p in the 
corresponding output pair for the permutation Pi. 

XOR distribution table of Po 
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The probability for a given (local) differential characteristic, i«e. the probability that an input 
difference a causes an otiiput difference p (denoted by a-^p)» can be found by dividing the 
1 S corresponding entry by the total number of input pairs with the given input difference. This 
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total aumber of input pairs equals si^cteen for 4-bit permutations, so the probability that a->p 
is givoi by Xi^^/16. Note that the entries in the first row and column of these tables represent 
the trivial diaracteristic, i>e. 0->0 widi probability one^ \vfaich always holds for permutations. 
It'is easily seen that all other (non-trivial) differential diaracteristics have probability smaller 
or equal to V4» since the maximum value over aU od:ier entries equals 4 for both permutations. 

XOR distribution table of Pi 
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The compensation effect can, for instance, be seen by considering the characteristic 7-->S for 
10 both permutations. For Po the probability that 7-^5 equals Xo^'^/16 = for Pi this probability 
is given by Xi^*Vl6 = 0. Preferably this compensation occurs for as many as possible 
elements. In the example, this holds for all elements with the maximum XOR difference 
value of four. Using well-known techniques for generating and testing permutations, a person 
skilled in the art can create eight such pairs of permutations within a few days for 4-bit 
1 5 pOTnutations. Alternatively, a difGsrent pair of permutationa Po* and Pi* satisfying the criteria 
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can be constructed firom Pq and P; by e.g. applying an afOne transformation on the output of 
botb of these pennutatioiis. This cane bo done by selecting a non-singular 4x4 matrix A 
over Za and a vector b e Zi* and defining Po*(x) Po(x)A ® b and Pi*(x) := Pi(x)A © b for 
all X € Za. It can be easily verified that in tiiis vvay 322560 different (ordered) pairs of 
S permutations can be constructed, each of which satisfies all above criteria. Note that one of 
these transformations is the identity mapping ftom Zz^ i.e. Po* « Po and Pi*" Pi. 

LiMor characteristics of a set of permutafiow 
A set of pomutadons for one S-box satisfies ^ following criterion: 
10 1. Ifa non^trivial linear characteristic in one of the pennutations has a proba 

maximal absolute difference from then this linear characteristic has a probability that 
is closer to H in at least one of the other permutations. 

It will be appreciated that in this way the weakness in one of the permutations 
is compensated by a strength in one of the other permutations. Preferably, the corresponding 
probability in one of the o&er permutations equals )4> optimally compensating a weakness. 
The preferred criterion, therefore, for a pair of 4-bit pennutations for one S-box is: if a linear 
characteristio in one of the two pmmitations has probabili^ Vk or ^en this linear 
characteristic has probability V4 in the other permutatian, i.e. each (round) key-independent 
linear characteristic of an S-box has a probability between 3/8 and 5/8. 

To illustrate that the two described permutations Pq and Pi meet this criterion, 
thfiir linear approximation tables aregivenbdow. The entry in row a and column p in the 
linear approximation table of Pi (with Qt>p € Zz^ is denoted by L|"^^ and is defined as: 
25 Li«'^r=#{xeZ2*|x.a-Pi(x)#p}-8, i = 0,L 

I.e. for the permutation Pi, Li**'^ represents the number of inputs for which the linear relation 
on the input bits defined by a equals the linear relation on the corresponding output bits 
defined by p minus 8, which is the ideal number for 4-bit permutations (more generally, the 
ideal value is 2°'^ for n-bit permutations). 
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Linear approximation table of Po 
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The probabiUty for a given (local) linear diaracterisdc, i.e. the probability that the linear 
relation on tfie input bite defined by a equals the linear relation on the output bits defined by 
P (denoted by a-»p), equals V4 + Li'*'^/!^. Note that the entries in the first row and colunm of 
diese tables represent the trivial characteristic, i.e. 0-»0 witii probability one, which holds for 
any mi^jping. It is easily seen that all other (non-trivial) difietential characteristics have 
probability betweai V4 and %, since the Tnlniinum and mp xi>nn i value over all otiier entries 
equal minus four and four respectively for bo& permutations. 
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The compensation effect can, for instance, be seen by consideiing the linear characteristic 
2^3 foT both permutations. For Po the probability that 2->3 equals V4 + 1.^^116 = fox Pi 
this probability is given by + Li^/16 = i4. Preferably this compensation occurs for as 
many as possible elements. In the exan^le, this holds for all elements vdth ibB maxiTnimn 
absolute value of four. Using welUkno^vn techniques for generating and testing permutations, 
a person skilled in the art can create eight such pairs of permutations within a few days for 4^ 
bit permutations. Alternatively, a di^^t pair of permutations Po* and Pi* satisfying the 
criteria can be constructed fiom Po and Pi by e.g. applying an afSne transformation on the 
output of both of these pexmutadons. This cane be done by selecting a non'-aingular 4x4 
matrix A over Za and a vector b 6 Zi* and defining Po*(x) := Po(x)A © b and Pi*(x) 
Pi(x)A®bforallx e Za'*. It can be easily verified that in this way 322560 different 
(ordered) pairs of permutations can be constructed, each of which satisfies all above criteria. 
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Note that on© of these transfoimations is the identity mapping fix>m Zj* i.e. Po* = Po 
andPi*'=Pi. 
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CLAIMS: 



1 . A method for cryptographically converting an input data block into an outpfut 
data blodc; the method including performing a non*linear operation on the input data block 
using an S-box based on a permutation^ 

whoein the metiiod incliides each time before using the S-box (pseudoOrandomly selecting 
the permutation from a predetermined set of at least two pemiutations associated with &e S- 
box. 

2. Amethod as claimed m ckdm 1, including performing the selection of the 
permutation under control of an encryption key. 



3. Amethod as claimed in claim 1, wherein the data block consists ofn data bits 

and each element of tiio set of permutations is a permutation on a set of 2" elements, 
represented by Za^ where each non-trivial differential characteristic of each pemiutation in 
this set has a probability of at most p^sjfi the set of permutations being formed by 
1 S permutations wbich have been selected such that for each non-trivial differential 
characteristic with probability of Pc^in any of the permutations, this differential 
characteristic has aprobability lower than in at least one of the other permutations of the 
set. 

20 4. A method as claimed in claim 3, wherein the difTerential characteristLC has a 

probability equal to zero in at least one of the permutations. 

5. Amethod as claimed in claim 4, wherein n = 4, 2aadpd\ff^ Va. 

25 6. A method as clain:ied in claim 1» wherein the data block consists of /i data bits 

and each element of the set of pemmtations is a pennutation on a set of 2^* elements, 
represented by Z^^, where each non-trivial linear characteristic of each permutation in this set 
has a probability of at least ^2 - p/^ and at most Y% + p/^ the set of permutations being fonned 
by permutations wbich have been selected such that for each non-trivial linear characteristic 
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with probability of or V4 in any of the permutations, tiiis Unear characteristic has 
a probability closer to in at least one of the other pennutations of the set. 

7. A metiiod as claimed in claim 5, wherein the linear characteristic has a 
5 probability eqixal to i4 in at least one of the permutations. 

8. Amethod as claimed in claim 6, wherein = 4 axidpi^n = Vi. 

9. A method as claimed in claim 1, wherein the set of pemnrtadons consists of 
1 0 two permxrtations, 

10. A method as claimed in claim 2 and 9^ wherein the selection of the 
permutation is perfiarmed under control of one bit of the encryption key. 

15 11- A computer program product v^di^e the program product is operative to cause 

a processor to perform the method of claim 1 . 

12. A system for cayptographically converting an input data block into an output 

data block; the method ^stem including: 
20 an input for receiving the xxxpvX data block; 

a storage for storing a predetermined set of at least two permutations 
associated with an S-box; 

a cryptographic processor for performing a non-linear operation on the input 
data block using an S-box based on a permutation; the processor being operative to^ each 
25 time before using the S-box, 0>scfudo-)raxidomly selecting the permutation firom the stored set 
of permutations associated with the S-box; and 

an ouQ>ut for ou^utting the processed input data block. 
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ABSTRACT: 



An ii^ut data block is cryptogrs^cally converted into an ovdput data block; 
by peffozming a non-linear operation on the input data block iising an S-box based on 
permutations. The S-box is associated vdth a set of at least two permutations. Each time 
before the S-box is used, one of the permutations is (pseudo-)randomly selected fsom the set 
of permutations and used for the conversion. 
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